University Finds Flaws in Report on St. Jude Medical Device Security

Researchers from the University of Michigan have analyzed the MedSec report describing serious vulnerabilities in St. Jude Medical products and determined that the security firm may have reached inaccurate conclusions.

MedSec, a company that specializes in medical device security, analyzed the products of four major vendors and determined that St. Jude devices are the most vulnerable. Researchers claimed to have found some serious issues, including flaws that can be exploited to cause implanted cardiac devices to malfunction or drain their battery at a very fast rate.

It’s not uncommon for security researchers to find vulnerabilities in medical devices. However, instead of reporting its findings to the vendor, MedSec teamed up with investment research firm Muddy Waters and they came up with a strategy that involved disclosing the existence of the flaws and shorting St. Jude shares.

St. Jude rushed to refute the allegations and reassured customers that it’s products are not as vulnerable as MedSec and Muddy Waters claim them to be. The MedSec report, which contains only limited technical details, has also been analyzed by University of Michigan (U-M) researchers, who found that MedSec’s proof-of-concept (PoC) exploit did not actually crash the implanted cardiac device.

According to the U-M team, which includes several medical device security researchers and a cardiologist, the error message shown in a screenshot included in the MedSec report indicates that the device is not properly plugged in, not necessarily that it’s no longer working.

“We’re not saying the report is false. We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue,” said Kevin Fu, U-M associate professor of computer science and engineering, and director of the Archimedes Center for Medical Device Security.

“To the armchair engineer it may look startling, but to a clinician it just means you didn’t plug it in. In layman’s terms, it’s like claiming that hackers took over your computer, but then later discovering that you simply forgot to plug in your keyboard,” added Fu, who is also the co-founder of a medical device security startup.

University of Michigan researchers will continue to analyze the report published by Muddy Waters and MedSec. In the meantime, Muddy Waters stands by MedSec’s report and it has even published a video allegedly showing how a cardiac device can be crashed.

MedSec has admitted that its decision to team up with Muddy Waters has some business benefits and it’s aware that its practices will draw criticism, but the company believes this is the only way to “spur St. Jude Medical into action.”

Muddy Waters’ short-selling strategy has paid off as the value of St. Jude stock plunged following the disclosure, even to the point where the company was forced to enter a trading halt last Friday. St. Jude shares have now recovered some of last week’s drop.